Some of us were taught that internal control for smaller entities was an oxymoron. My supervisors made it clear that, because segregation of incompatible duties was not usually possible for smaller entities, internal control was non-existent. In 2006, COSO changed the rules by publishing Internal Control over Financial Reporting — Guidance for Smaller Public Companies and recognizing there are different rules for larger and smaller entities.
Essentially, COSO said internal controls for smaller entities are more likely to be informal and carried out by one or a few persons. COSO’s guidance, audit standards from the PCAOB and AICPA attestation standards all require a top-down approach whenever considering internal controls. One or a few management persons performing control procedures (top-down) can produce a good internal control system for a smaller entity!
Control procedures consist of entity-level and activity-level controls. For smaller entities, public or non-public, the design of control procedures should focus primarily on the entity-level (top-down) since the activity-level controls may be ineffective due to a lack of segregation of duties. Entity-level controls are the key controls for smaller entities and are the most effective for preventing errors or fraud from occurring and going undetected. If entity-level controls are properly designed, and if they are diligently performed by management and/or persons charged with governance, a small entity can have a good internal control system. This can be true even for an entity with only two or three accounting personnel!
Here are six components of a good internal control system for smaller entities:
1) Management personnel should have high integrity and ethical values and be committed to diligently performing key internal control procedures. For a smaller entity, management’s character shapes the control environment.
2) Boards of governance should have more “hands-on” oversight involvement in the entity’s activities. Some board members may even perform monthly entity-level controls such as inspecting and approving supporting documentation for checks written.
3) Key controls performed by management personnel can overcome the lack of segregation of duties. COSO suggests reviews of accounting systems reports, inspections of supporting documents for selected transactions, overseeing periodic counts of inventories and reviewing bank statement and other reconciliations.
4) An IT system that limits risks of errors or fraud can produce better and more accurate financial reports. Standardized reporting formats, password and processing controls and other application controls should be included in accounting software.
5) Monitoring control activities are primarily the responsibility of management. Smaller entities’ management should be performing daily “walk-around” controls that provide feedback on the effectiveness of accounting, internal control and operational systems.
6) The system of internal control should maximize effectiveness and efficiency by including activities that are tailored to the nature, size and complexity of the entity. Since policies and procedures are usually informal for smaller entities, management personnel should communicate internal controls through frequent contact with accounting personnel. The performance of basic activity-level control procedures, such as determining that all shipments are billed, that invoices are initiated only after shipments are made and that bank accounts are reconciled timely, should documented in the accounting records for periodic management inspection.
Will these internal controls prevent all errors or fraud from occurring and going undetected? Certainly not! They will ordinarily, however, accomplish management’s control objective of providing reasonable assurance an entity’s financial reporting process is accurate.
If you are interested in digging deeper into this subject, you may wish to register for my live webcast entitled, Designing Internal Control Systems for Small Entities. By clicking on the Live Webcasts box on the homepage of my website, www.cpafirmsupport.com, you can download a syllabus and register. Come have some fun with me!